Cisco Simple GRE with IPSEC Tunnels
GRE with IPSEC KB ID 0000951 Problem I’ve spent years setting up VPN tunnels between firewalls. The only time I’ve ever dealt with GRE is for letting VPN client software though firewalls. GRE’s job is to ‘encapsulate’ other protocols and transport those protocols inside a virtual point to point link. Below is the topology, I’m going to use. The tunnel will run form Router R1 to Router R3, once...
Cisco – Configuring Dynamic Multipoint Virtual Private Networks DMVPN
DMVPN KB ID 0000954 Problem A while back I uploaded a run through on how to deploy GRE tunnels and protect those tunnels with IPsec. That point-to-point GRE tunnel is a good solution, but if you have a lot of sites it’s not a solution that scales very well. Yes you can have 2147483647 tunnel interfaces, but good luck manually configuring all those tunnels and even if you did, if you want each of your remote sites to talk to each...
Implementing GDOI into DMVPN
GDOI into DMVPN KB ID 0000956 Problem Just recently I covered DMVPN, which is a great scalable system for adding new sites to your network infrastructure and have them join an existing VPN solution without the need to add extra config at the ‘hub’ site. One of the advantages of DMVPN is it maintains VPN connections from your ‘Spoke’ sites back to the ‘Hub’ site, but if a spoke site needs to speak...
Enabling Cisco DNS Lookup (ASA and IOS)
Cisco DNS Lookup KB ID 0000969 Problem For the most part, devices are more concerned with IP and MAC addresses, but the devices do have the ability to translate those IP addresses using DNS. Solution : Cisco DNS Lookup How to Enable Cisco DNS Lookup on ASA As ASA is ‘My Thing’ I will start with that. 1. Connect to the ASA, log in and go to enable mode, and then global configuration mode. Type help or ‘?’ for...
Cisco Router – Configure NAT (NAT Overload)
NAT Overload KB ID 0000971 Problem NAT is the process of taking one or more IP addresses and translating it/them into different IP addresses. You may require your router to translate all your internal IP addresses to your public (ISP allocated) IP address. To do that we use a process called NAT Overload. Solution : Nat Overload 1. Connect to the router, and got to enable mode, then global configuration mode. PetesRouter#configure...
Cisco ASA Domain Authentication and Trust (Allowing)
ASA Domain Authentication KB ID 0000973 Problem I cringed this morning when I was asked about this, last time I had to get a client to authenticate to a domain through a firewall, it was ‘entertaining’. The problem is Windows loves to use RPC, which likes to use random ports, so to make it work you either had to open TCP ports 49152 and 65535 (Yes I’m Serious). Or you had to registry hack all your domain controllers...
Cisco ASA – Remote VPN Client Internet Access
VPN Client Internet Access KB ID 0000977 Problem I have answered a lot of questions in forums, that are worded something like, “When I have a remote client connected to my firewall VPN they lose Internet access!” Traditionally that’s exactly what the ‘default’ remote VPN Internet access (IPSEC or AnyConnect) gave you. To ensure your remote VPN clients can access the Internet you have two options. The...
Cisco ASA – VPN Reverse Route Injection With OSPF
Reverse Route Injection KB ID 0000982 Problem Reverse Route injection is the process that can be used on a Cisco ASA to take a route for an established VPN, and populate/inject that route into the routing table of other devices in it’s routing group. In the example below, on the main site, we have a Layer 3 switch that’s routing all the 192.168.x.x networks, and we have an established site to site VPN to a remote site. To...
Cisco ASA Remote Management via VPN
ASA Remote Management KB ID 0000984 Problem It’s been ages since I has to do this, I usually just manage firewalls via SSH from outside. But I was out on a client site last week and needed to connect to to my ASA, so I simply connected in via AnyConnect; Note: The same procedure is applicable if you are an IPSEC VPN client, L2TP VPN client, or simply coming in over a site to site VPN link. And attempted to SSH, no joy, I tried...
Error 1722 There is a problem with this Windows Installer package.
Error 1722 KB ID 0000985 Problem Error 1722 is a pretty ‘generic’ windows installer package error. When attempting to install the AnyConnect client software this happened; Error 1722. There is a problem with this Windows Installer package. A program run as part of the setup did not finish as expected. Contact your support personnel or package vendor. Action VACon_Install, location: C:Program FilesCiscoCisco AnyConnect...